Train-Up or Hire-In?

The Pros and Cons of IT Security Training

Whether you’ve been hit with an attack, or are just seeing all the breaches happening in the news daily, you may be concerned that your security tools are just not going to cut it anymore. Along with data security awareness training for your non-technical employees, it’s also important that you have a strong, technically-proficient security team to mitigate incidents and events as they arise. Now the real question: should you hire-in or train-up?

Let’s first look at the pros and cons of hiring-in new talent

Pros:

Hiring-in new talent can come with a lot of great perks. You get a fresh eye and perspective in the role, while avoiding an internal sense of entitlement or unnecessary competition between existing employees.

They may also be critical in filling skill gaps in your current organization.

Additionally, (especially for those in the cyber security field) companies in industries where the market and technology is changing rapidly may not be able to train their existing employees. If you do not have the necessary time and resources to train existing employees in such quickly advancing technologies and marketplaces, hiring-in new talent who has the knowledge and experience required to work with these technologies and markets clearly makes the most sense for you.

Cons:

The major con about hiring-in is that it poses a risk because you don’t know the person. This could lead to a high turn-over rate (which can get pricey) because of low productivity, mismatched expectations or they just don’t fit in with the company culture. This is especially true if your company relies on heavy networking and communication to get their jobs done. As Professor Peter Cappelli, director of Wharton’s Center for Human Resources, said “They know what to ask each other. They know each other’s strengths,” you’re new-hire may not.

Nowlet’s look at the pros and cons of training-up existing talent

Pros:

The most obvious advantage to training your employees up is that you know them. You should have a pretty good idea of their strengths, weaknesses and potential. As Sinclair Schuller said (in the same interview linked above) “…the value of training your own talent is that you can shape and mold the employee for your unique culture and environment.”

Another perk is that it typically costs less. Without recruitment costs, lower risk of turn over, and likely lower salary expectations internal promotions usually require less training than hire-ins and overall cost less to promote.

Additionally, specifically to cyber security, with the continual advancements by hackers and cyber attackers, whether you hire-in or train-up your employees will require continual training to keep up with industry methodology, tools and trends, so if you possess motivated, intelligent talent with minimal understanding, it may be well worth training them to meet the standards of the industry today.

As far as training IT in cybersecurity skill sets, they should already have a deep understanding of your network and environments, giving them a competitive edge against those who may know cyber security methodologies, but lack experience with your specific environment, systems and tools.

The main cons of training-up are lack of knowledge and experience. This is especially true for cyber security experts. Many coming out of college, or without professional experience do not understand how to mitigate risks in a real world setting.

Another con is shaking up the company culture. You may see more potential in a junior employee. How will you mitigate promoting them over a more seasoned, senior employee? This is a concern to consider, however refined leadership skills can defuse potential issues.

For all the above reasons, when looking to boost your cyber security workforce, I would prescribe a hybrid strategy. Hire-in one or two experts who are willing to help guide your internal promotions through their training. You’ll get the benefits of fresh perspective and expertise, while empowering your employees and leveraging the talent you already know you have.

CyberTraining 365 is an online academy that offers nearly 1,000 hours of relevant and cutting edge cyber security training. Our training provides the most in demand industry certification prep courses including EC-Council, CompTIA, (ISC)2 and Cisco; all taught by leading cyber security experts. All of our offerings are aligned with the national initiative for cyber security education (NICE) and ensure the most up-to-date information for this constantly shifting field. With engaging content in a scenario-based format, CyberTraining 365 uses bite-sized micro-learning methodology ensures learners are not overwhelmed with information. On Demand LMS platform has white-label capabilities ideal for internal training purposes.